A detailed tutorial on using tripwire to monitor data integrity under Linux installation and construction tripwire system

Objective

When the server is attacked by hackers, in most cases, hackers may modify some important files, such as system files, and so on. In this respect, we use tripwire to establish data integrity monitoring system. Although it can not protect against hacker attacks and hackers on some important files, but the change is able to monitor whether the file has been modified and which files have been modified, so that the attack after the targeted plan to solve the solution.

The principle of tripwire is that tripwire is installed, configured, the current system data state into a database, with the file additions, deletions and changes, and so on, through the system data status and constantly updated database comparison, to determine which files have been added, deleted and modified. Because the initial database is the Tripwire ontology is installed, after the establishment of the reason, we must be open before the server, or the operating system has just been installed with tripwire to build data integrity monitoring System.

tripwire Introduction

When Tripwire runs in database generation mode, the files specified for monitoring are read according to a configuration file that is set by the administrator, the corresponding digital signature is generated for each file, and the results are saved in their own database, by default, MD5 and SNCFRN ( Xerox's Secure Hash Function) encryption method is combined to generate a digital signature for the file. In addition to this, administrators can use hash functions such as Md4,crc32,sha, but in fact, the use of the above two hash functions is very reliable, and combined with MD5 and SNCFRN two algorithms (especially SNCFRN) on the system resources are more expensive, Therefore, the use of the document can be based on the importance of making trade-offs. When the system is suspected of intrusion, can be tripwire based on a previously generated, database files to do a digital signature of the comparison, if the file is replaced, and the tripwire database in the corresponding digital signature does not match, then tripwire will report the corresponding file was changed, the administrator will understand the system is not "clean "Up.

tripwire Software features

Tripwire support most UNIX operating systems, its installation needs to compile the environment, such as GCC,CC, but also need to gzip,gunzip and other decompression tools. These tool managers can be obtained from the appropriate site, not discussed here. To the download section of its homepage, you can see the Tripwire1.3 ASR version that is currently available for free download, download it.

Using detection tools such as tripwire and aide to help you discover attackers in a timely manner can provide a good system integrity check. Unlike other intrusion detection tools, such tools do not detect intrusion behavior through so-called attack signatures, but instead monitor and check for changes in the system.

When the server is attacked by hackers, in most cases, hackers may modify some important files, such as system files, and so on. In this respect, we use tripwire to establish data integrity monitoring system. Although it can not protect against hacker attacks and hackers on some important files, but the change is able to monitor whether the file has been modified and which files have been modified, so that the attack after the targeted plan to solve the solution.

The principle of tripwire is that tripwire is installed, configured, the current system data state into a database, with the file additions, deletions and changes, and so on, through the system data status and constantly updated database comparison, to determine which files have been added, deleted and modified. Because the initial database is the Tripwire ontology is installed, after the establishment of the reason, we must be open before the server, or the operating system has just been installed with tripwire to build data integrity monitoring System.

Install tripwire





First to install the tripwire.





[Root@sample ~]# wget http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz← Download source code





--02:21:30--http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz


=> ' tripwire-2.3.1-2.tar.gz '


Resolving jaist.dl.sourceforge.net ... 150.65.7.130


Connecting to jaist.dl.sourceforge.net|150.65.7.130|:80 ... Connected.


HTTP request sent, awaiting response ... OK


length:1,514,955 (1.4M) [Application/x-gzip]





100%[====================================&GT] 1,514,955 1.29m/s





02:21:32 (1.28 MB/s)-' tripwire-2.3.1-2.tar.gz ' saved [1514955/1514955]





[Root@sample ~]# tar zxvf tripwire-2.3.1-2.tar.gz← will be compressed file expansion





[Root@sample ~]# CD tripwire-2.3.1-2← into the unpacked directory





[Root@sample tripwire-2.3.1-2]# wget http://distfiles-od.opendarwin.org/tw-20030919.patch.gz← download tripwire patch file





--02:28:43--http://distfiles-od.opendarwin.org/tw-20030919.patch.gz


=> ' tw-20030919.patch.gz '


Resolving distfiles-od.opendarwin.org ... 216.73.106.93


Connecting to distfiles-od.opendarwin.org|216.73.106.93|:80 ... Connected.


HTTP request sent, awaiting response ... OK


length:786,411 (768K) [Application/x-gzip]





100%[====================================&GT] 786,411 164.35k/s ETA 00:00





02:28:50 (154.51 kb/s)-' tw-20030919.patch.gz ' saved [786411/786411]





[Root@sample tripwire-2.3.1-2]# gunzip tw-20030919.patch.gz← to extract tripwire patch files





[Root@sample tripwire-2.3.1-2]# PATCH-P1 < Tw-20030919.patch←patch compilation





[Root@sample tripwire-2.3.1-2]# chmod 755 configure← gives the configuration file configure executable permissions





[Root@sample tripwire-2.3.1-2]#./configure--sysconfdir=/etc/tripwire← Run Configure


Checking build system Type ... I686-pc-linux-gnu


Checking host system Type ... I686-pc-linux-gnu


Checking target system Type ... I686-pc-linux-gnu


Checking for a BSD compatible install .../usr/bin/install-c


..........................................


..........................................


...... Intermediate hint information omitted ...


..........................................


..........................................


Config.status:creating Src/twprint/makefile


Config.status:creating Src/twadmin/makefile


Config.status:creating Src/siggen/makefile


Config.status:creating Src/tripwire/makefile


Config.status:creating config.h





[Root@sample tripwire-2.3.1-2]# make← Compilation





Cd. &&/bin/sh/root/tripwire-2.3.1-2/missing--run Autoheader


Configure.in:9: Warning:do not use M4_patsubst:use Patsubst or M4_bpatsubst


Aclocal.m4:546:am_config_header is expanded from ...


Configure.in:9: The top level


Configure.in:401:warning:do not with M4_regexp:use regexp or m4_bregexp


aclocal.m4:559: _am_dirname is expanded from ...


Configure.in:401:the Top Level


Cd.


&& config_files= Config_headers=config.h


/bin/sh./config.status


..........................................


..........................................


...... Intermediate hint information omitted ...


...... It will take some time ...


..........................................


..........................................


MAKE[2]: Leaving directory '/ROOT/TRIPWIRE-2.3.1-2/SRC '


MAKE[2]: Entering directory '/root/tripwire-2.3.1-2 '


MAKE[2]: Nothing is done for ' all-am '.


MAKE[2]: Leaving directory '/root/tripwire-2.3.1-2 '


MAKE[1]: Leaving directory '/root/tripwire-2.3.1-2 '





[Root@sample tripwire-2.3.1-2]# make install← installation configuration





Making Install in Mans


MAKE[1]: Entering directory '/root/tripwire-2.3.1-2/man '


Making install in Man4


MAKE[2]: Entering directory '/root/tripwire-2.3.1-2/man/man4 '


MAKE[3]: Entering directory '/root/tripwire-2.3.1-2/man/man4 '


MAKE[3]: Nothing is done for ' install-exec-am '.


/bin/sh.. /.. /mkinstalldirs/usr/local/man/man4


Mkdir/usr/local/man


..........................................


..........................................


...... The middle hint information is omitted ....


..........................................


..........................................


Copyright (C) 1998-2000 tripwire (R) Security Systems, Inc. tripwire (R)


is a registered trademark of the Purdue


Licensed exclusively to Tripwire (R) Security Systems, Inc.





LICENSE Agreement for Tripwire (R) 2.3 Open Source





Please read the following license agreement. You must accept the


Agreement to continue installing tripwire.





Press ENTER to view the License agreement. ← Press ENTER to read the agreement


..........................................


..........................................


In protocol browsing, press the space key to flip the page


..........................................


..........................................


Please type ' accept ' to indicate your acceptance of this


License Agreement. [Do not accept] accept← enter "accept" consent agreement


Using configuration file./install/install.cfg





Checking for programs specified in install configuration file ....





/usr/sbin/sendmail exists. Continuing installation.





/BIN/VI exists. Continuing installation.





----------------------------------------------


Verifying existence of binaries ...





./bin/siggen found


./bin/tripwire found


./bin/twprint found


./bin/twadmin found





This program would copy tripwire files to the following directories:





Twbin:/usr/local/sbin


Twman:/usr/local/man


Twpolicy:/etc/tripwire


Twreport:/usr/local/lib/tripwire/report


TWDB:/usr/local/lib/tripwire


Twsitekeydir:/etc/tripwire


Twlocalkeydir:/etc/tripwire





Clobber is false.





Continue with installation? [y/n] y← type Y to continue the installation





----------------------------------------------


Creating directories ...





/usr/local/sbin:already exists


/etc/tripwire:created


/usr/local/lib/tripwire/report:created


/usr/local/lib/tripwire:already exists


/etc/tripwire:already exists


/etc/tripwire:already exists


/usr/local/man:already exists


/usr/local/doc/tripwire:created





----------------------------------------------


Copying files ...





/usr/local/doc/tripwire/readme:copied


/usr/local/doc/tripwire/release_notes:copied


/usr/local/doc/tripwire/copying:copied


/usr/local/doc/tripwire/trademark:copied


/usr/local/doc/tripwire/policyguide.txt:copied


/etc/tripwire/twpol-linux.txt:copied





----------------------------------------------


The tripwire site and local passphrases are used to


Sign a variety of files, such as the configuration,


Policy, and database files.





Passphrases should to least 8 characters in length


and contain both letters and numbers.





The tripwire Manual for more information.





----------------------------------------------


Creating Key files ...





(When selecting a passphrase, keep into mind that good passphrases typically


have upper and lower case letters, digits and punctuation marks, and are


At least 8 characters in length.)





Enter the site KeyFile passphrase:← Enter the "Site keyfile" password (not shown after input), and remember this password


Verify the site KeyFile passphrase:← reconfirm the "site KeyFile" password


Generating key (This may take several minutes) ... Key generation complete.





(When selecting a passphrase, keep into mind that good passphrases typically


have upper and lower case letters, digits and punctuation marks, and are


At least 8 characters in length.)





Enter the local keyfile passphrase:← type the "local keyfile" password (not shown after input), and remember this password


Verify The local keyfile passphrase:← reconfirm the "local keyfile" password


Generating key (This may take several minutes) ... Key generation complete.





----------------------------------------------


Generating tripwire configuration file ...





----------------------------------------------


Creating signed Configuration file ...


Please enter your site passphrase:← input "site keyfile" password (not displayed after input)


Wrote configuration file:/etc/tripwire/tw.cfg





A Clear-text version of the tripwire configuration file


/etc/tripwire/twcfg.txt


has been preserved for your inspection. It is recommended


That's the delete this file manually after you have examined it.





----------------------------------------------


Customizing Default Policy File ...





----------------------------------------------


Creating signed Policy File ...


Please enter your site passphrase:← input "site keyfile" password (not displayed after input)


Wrote policy file:/etc/tripwire/tw.pol





A Clear-text version of the tripwire policy file


/etc/tripwire/twpol.txt


has been preserved for your inspection. This implements


A minimal policy, intended only to test essential


Tripwire functionality. You should edit the policy file


To describe your system, and then use Twadmin to generate


A new signed copy of the Tripwire policy.





----------------------------------------------


The installation succeeded.





Please refer to/usr/local/doc/tripwire/release_notes


For release information and to the printed user documentation


For further instructions on using Tripwire 2.3 Open Source.


MAKE[3]: Leaving directory '/root/tripwire-2.3.1-2 '


MAKE[2]: Leaving directory '/root/tripwire-2.3.1-2 '


MAKE[1]: Leaving directory '/root/tripwire-2.3.1-2 '





[Root@sample tripwire-2.3.1-2]# cd← back to root directory for root user





[Root@sample ~]# rm-rf tripwire-2.3.1-2 tripwire-2.3.1-2.tar.gz← Delete installed original files


Configure Tripwire


[Root@sample ~]# vi/etc/tripwire/twcfg.txt← Modify text Format tripwire configuration file





Loosedirectorychecking =false← Find this row and change the value of false to True (do not monitor the data integrity of the owning directory)


↓


Loosedirectorychecking =true← becomes this state





Reportlevel =3← found this line, turning 3 to 4 (changing the level of the Monitoring results report)


↓


Reportlevel =4← becomes this state





[Root@sample ~]# twadmin--create-cfgfile-s/etc/tripwire/site.key/etc/tripwire/twcfg.txt← Create an encrypted format profile from a text configuration file





Please enter your site passphrase:← input "site keyfile" password (not displayed after input)


Wrote configuration file:/etc/tripwire/tw.cfg





[Root@sample ~]# rm-f/etc/tripwire/twcfg.txt← A configuration file that deletes text formatting without leaving a security risk





Note: Restore the tripwire configuration file in text format by executing "twadmin--print-cfgfile >/etc/tripwire/twcfg.txt".





[2] configuration of policy files





The Tripwire database is based on the policy file. However, the default policy file does not effectively establish data integrity monitoring rules according to our needs, so it's a Perl script that allows data monitoring to actually meet our needs.





[Root@sample ~]# vi/etc/tripwire/twpolmake.pl← establishes a Perl script for creating policy files





#!/usr/bin/perl


# tripwire Policy File Customize tool


# ----------------------------------------------------------------


# Copyright (C) 2003 Hiroaki Izumi


# this are free software; You can redistribute it and/or


# Modify it under the terms of the GNU general public License


# as published by the free Software Foundation; Either version 2


# of the License, or (at your option) any later version.


# This are distributed in the hope that it'll be useful,


# but without any WARRANTY; Without even the implied warranty of


# merchantability or FITNESS for A particular purpose. The


# GNU general public License for more details.


# You should have received a copy of the GNU general public License


# along with this program; If not, write to the free Software


# Foundation, Inc., Temple Place-suite, Boston, MA 02111-1307, USA.


# ----------------------------------------------------------------


# Usage:


# perl twpolmake.pl {Pol file}


# ----------------------------------------------------------------


#


$POLFILE = $ARGV [0];





Open (POL, "$POLFILE") or Die "Open error: $POLFILE";


My ($myhost, $thost);


My ($sharp, $tpath, $cond);


My ($INRULE) = 0;





while (<POL>) {


Chomp


if (($thost) =/^hostnames*=s* (. *) s*;/) {


$myhost = ' hostname '; Chomp ($myhost);


if ($thost ne $myhost) {


$_= "Hostname=" $myhost ";";


}


}


elsif (/^{/) {


$INRULE = 1;


}


elsif (/^}/) {


$INRULE = 0;


}


elsif ($INRULE = = 1 and ($sharp, $tpath, $cond) =/^ (s*#?s*) (/s+) b (s+->s+.+) $/) {


$ret = ($sharp =~ s/#//g);


if ($tpath eq '/sbin/e2fsadm ') {


$cond =~ s/;s+ (tune2fs.*) $/; #$1/;


}


if (!-S $tpath) {


$_ = "$sharp # $tpath $cond" if ($ret = = 0);


}


else {


$_ = "$sharp $tpath$cond";


}


}


print "$_n";


}


Close (POL);


[Root@sample ~]# perl/etc/tripwire/twpolmake.pl/etc/tripwire/twpol.txt >/etc/tripwire/twpol.txt.out← Establish policy file





[Root@sample ~]# rm-f/etc/tripwire/twpol.txt← Delete Default policy file





[Root@sample ~]# mv/etc/tripwire/twpol.txt.out/etc/tripwire/twpol.txt← Change the name of the newly created policy file to the file name of the default policy file





[Root@sample ~]# vi/etc/tripwire/twpol.txt← Edit Policy File





$ (Twreport)-> $ (sec_config) (recurse=0); ← Find this line and add the statement to the next line in this line (before and after 113 lines)


!$ (twdb)/$ (HOSTNAME). TWD; ← Add this sentence (do not monitor the database)





[Root@sample ~]# twadmin--create-polfile-s/etc/tripwire/site.key/etc/tripwire/twpol.txt← Create an encrypted format profile from a text configuration file





Please enter your site passphrase:← input "site keyfile" password (not displayed after input)


Wrote policy file:/etc/tripwire/tw.pol





[Root@sample ~]# rm-f/etc/tripwire/twcfg.txt← A configuration file that deletes text formatting without leaving a security risk





Note: Restore the tripwire configuration file in text format by executing "twadmin--print-cfgfile >/etc/tripwire/twcfg.txt".





[3] Establish a database





[Root@sample ~]# tripwire--init← Build Database





Please enter the "local keyfile" Password your local passphrase:← (not displayed after input)


Parsing policy file:/etc/tripwire/tw.pol


Generating the database ...


Processing Unix File System * * *


Wrote database file:/USR/LOCAL/LIB/TRIPWIRE/SAMPLE.CENTOSPUB.COM.TWD


The database was successfully generated.

Run Tripwire

Start the test below and let tripwire start working.





[1] Establish tripwire run script:





[Root@sample ~]# VI tripwire-check← build tripwire Run script





#!/bin/bash





Path=/usr/local/sbin:/usr/bin:/bin


sitepass=******** # site Key passphrase← To change the asterisk section to the password for Site keyfile


localpass=******** # Local Key passphrase← to change the asterisk part to the local keyfile password


reportfile=/usr/local/lib/tripwire/report/' hostname '-' date +%y%m%d '. TWR





# Run The Tripwire


Tripwire--check-r "$REPORTFILE" | Logger-t tripwire





# Mail the tripwire to root


Cd/etc/tripwire


Reportprint= ' Mktemp '


Twprint-m r-c tw.cfg-r "$REPORTFILE"-l ' hostname '-LOCAL.KEY-T 4 > $REPORTPRINT


If [-Z "$ (grep ' total violations found:0 ' $REPORTPRINT)"]; Then


Cat $REPORTPRINT | Mail-s "Tripwire (R) Integrity Check in ' hostname '" root


Fi


Rm-f $REPORTPRINT





# Update the Policy File


Cd/etc/tripwire


Twadmin--print-polfile > Twpol.txt


Perl twpolmake.pl twpol.txt > Twpol.txt.out


Twadmin--create-polfile-s site.key-q $SITEPASS twpol.txt.out | Logger-t tripwire


Rm-f twpol.*


# Update the Database


Rm-f/usr/local/lib/tripwire/' hostname '. TWD


Tripwire--init-p $LOCALPASS | Logger-t tripwire





[Root@sample ~]# chmod tripwire-check← grants executable permissions to run script files





Note: The Tripwire monitoring report is encrypted and saved to the/usr/local/lib/tripwire/report directory. The log is saved in the/var/log/messages.





[2] test Run script

[Root@sample ~]#./tripwire-check← run a script once


Because of the addition of the run script itself, it is also considered that the system has been changed, will send mail notification root ... View mailbox recycling to monitoring reports





[Root@sample ~]#./tripwire-check← Run the script again


Since two consecutive runs, there is unlikely to be a file change between, so make sure that you do not send e-mail to root





[3] Browsing of local monitoring reports on the server





[Root@sample ~]# ls-l/usr/local/lib/tripwire/report/← List of files in the directory where the monitoring reports are located


Total 32


-rw-r--r--1 root root 8222 Aug 05:46 sample.centospub.com-20060823.twr← For example, to browse this report


-rw-r--r--1 root root 8230 Aug 05:46 Sample.centospub.com-20060823.twr.bak





[Root@sample ~]# cd/etc/tripwire← Enter tripwire config file directory





[Root@sample tripwire]# twprint-m r-c tw.cfg-r "/USR/LOCAL/LIB/TRIPWIRE/REPORT/SAMPLE.CENTOSPUB.COM-20060823.TWR"-l Sample.centospub.com-local.key-t 4 > tripwire-report← to save the monitoring report in a file named Tripwire-report





[Root@sample tripwire]# Cat tripwire-report← Browsing Monitoring Report


Note:report is not encrypted.


Tripwire (R) 2.3.0 Integrity Check





By:root generated


Created on:wed Aug 2006 05:45:01 AM CST


Database Last Updated On:never





===============================================================================


Summary:


===============================================================================





Host name:sample.centospub.com


Host IP address:127.0.0.1


Host Id:none


Policy file used:/etc/tripwire/tw.pol


Configuration file used:/etc/tripwire/tw.cfg


Database file used:/USR/LOCAL/LIB/TRIPWIRE/SAMPLE.CENTOSPUB.COM.TWD


Command Line Used:tripwire--check-r/USR/LOCAL/LIB/TRIPWIRE/REPORT/SAMPLE.CENTOSPUB.COM-20060823.TWR





===============================================================================


Rule Summary:


===============================================================================





-------------------------------------------------------------------------------


Section:unix File System


-------------------------------------------------------------------------------





Rule Name Severity level Added removed Modified


--------- -------------- ----- ------- --------


Invariant Directories 66 0 0 0


Tripwire Data Files 100 0 0 0


Temporary Directories 33 0 0 0


Critical Devices 100 0 0 0


(/proc/kcore)


Tripwire Binaries 100 0 0 0


Libraries 66 0 0 0


User binaries 66 0 0 0


Critical system boot files 100 0 0 0


File System and Disk Administraton Programs


100 0 0 0


Kernel administration Programs 100 0 0 0


Networking Programs 100 0 0 0


System administration Programs 100 0 0 0


Hardware and Device control Programs


100 0 0 0


System Information Programs 100 0 0 0


Application Information Programs


100 0 0 0


(/sbin/rtmon)


Shell Related Programs 100 0 0 0


Operating System Utilities 100 0 0 0


Critical Utility sym-links 100 0 0 0


Shell Binaries 100 0 0 0


OS executables and libraries 100 0 0 0


System boot changes 100 0 0 0


Critical configuration Files 100 0 0 0


Security Control 100 0 0 0


Login Scripts 100 0 0 0


* Root config files 100 0 0 1





Total Objects scanned:17363


Total violations found:1





===============================================================================


Object Summary:


===============================================================================





-------------------------------------------------------------------------------


# Section:unix File System


-------------------------------------------------------------------------------





-------------------------------------------------------------------------------


Rule name:root config files (/root)


Severity level:100


-------------------------------------------------------------------------------





Modified:


"/root/tripwire-check"





===============================================================================


Object Detail:


===============================================================================





-------------------------------------------------------------------------------


Section:unix File System


-------------------------------------------------------------------------------





-------------------------------------------------------------------------------


Rule name:root config files (/root)


Severity level:100


-------------------------------------------------------------------------------


----------------------------------------


Modified objects:1


----------------------------------------





Modified Object Name:/root/tripwire-check





Property:expected observed


------------- ----------- -----------


Object Type Regular file Regular file


Device number 64768 64768


File Device number 0 0


Inode number 351317 351317


MODE-RWX-------RWX------


Num Links 1 1


UID root (0) root (0)


GID root (0) root (0)


* Size 953 951


* Modify time Wed Aug 2006 05:21:26 AM CST


Wed Aug 2006 05:43:10 AM CST


* Change Time Wed Aug 2006 05:21:26 AM CST


Wed Aug 2006 05:43:10 AM CST


Blocks 16 16


* CRC32 ay0ov9 bdzm8y


* MD5 BOEMOWFJEKCSLOJCS/E7MJ abqn3hl5wf0pytcxugpe5u











===============================================================================


Error:


===============================================================================





No Errors





-------------------------------------------------------------------------------


End of the "* * *


Tripwire 2.3 Portions Copyright Tripwire, INC tripwire is a registered


Trademark of Tripwire, Inc. This software comes with absolutely NO WARRANTY;


For the details use--version. This are free software which may redistributed


or modified only under certain conditions; Copying for details.


All rights reserved.





[Root@sample tripwire]# rm-f tripwire-report← Delete Monitoring Report





[4] Let the monitoring scripts run automatically every day





[Root@sample tripwire]# cd← into the root directory where the run scripts are tripwire





[Root@sample ~]# MV tripwire-check/etc/cron.daily/← transfer script to a directory that runs automatically every day





The script that is placed under the/etc/cron.daily will automatically be run 4:02 every day. This monitors the status of system files through data integrity monitoring. If added, modified, or deleted, the message will be sent to root and automatically forwarded to the forwarding mailbox set in the initial environment setting.





Using Tripwire to monitor Linux files is modified, and then to determine whether the server is being hacked, but also a very effective way, because if you do not modify the system files can break your Linux, the hacker is already a master of the master.